Penetration Testing and Vulnerability Scanning are areas with a lot of overlap. The difference between the two is less in the exact menu of tools used, and more the context and application. In whitehat applications the two categories differ more in who is doing it, where, and why, and what surrounding activities they perform, and less on exactly what the heart of scan does. Penetration Testing I've most often seen used to describe an external vulnerability assessment. The customer will negotiate a contract with the provider, and very often (at least every case I've been involved with:-) the contract will completely prohibit exploitation of holes found, acknowleging that without that exploitation the pentester can not guarantee that some additional protection behind the facade might have actually prevented the successful exploitation of the found hole. Pen-testing is routinely performed from the internet at the outside perimeter of the target, and the negotiated contract has terms limiting what will be attempted --- no DoS, no exploitation, only during agreed-on time windows, only from IP addrs which have been announced to the target before the scan begins, that sort of thing. Vunerability Scanning I've seen as a task normally carried out by security engineers within the organization; they may use open source components, homebrew tools, commercial proprietary products, or some mix of the lot, but the emphasis is on periodic scanning of the whole net --- with emphasis on the inside net, behind the firewall --- to find config errors and rogue machines and the like. I could see a vulnscanning plan that included use of exploitation to followup and confirm that claimed found vulns are in fact exploitable. -Bennett
This archive was generated by hypermail 2b30 : Sun Mar 09 2003 - 10:14:57 PST